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Description 



DEVICE-TO -DEVICE AUTHENTIC ATION SYSTEM, DEVIC E -TO -D EVICE 
AUTHENTICATION METHOD, COMMUNICATION APPARATUS , 



AND COMPUTER PROGRAM 



Technical Field 

The present invention relates to a device-to-device 
authentication system, a device-to-device authentication 

10 method, a communication apparatus and a computer program, for 
managing the use of the contents such as music data, image 
data, digital data such as electronic publication, a motion 
picture or the like, which are distributed by a network or 
the like, in particular, to a device-to-device authentication 

15 system, a device-to-device authentication method, a 
communication apparatus and a computer program for managing 
the use of the contents within the scope of private use allowed 
by the copyright law. 

More specifically, the present invention relates to a 

20 device-to-device authentication system, a device-to-device 
authentication method, a communication apparatus and a 
computer program for managing the use of the contents within 
the scope of private use allowed by the copyright law on a 
home network connected to an external network via a router, 

25 in particular, to a device-to-device authentication method, 
a communication apparatus and a computer program for managing 
so that each client terminal on the home network uses the 
contents legitimately acquired on a home server within the 
scope of private use allowed by the copyright law. 

30 



Background Art 
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Owing to the recent diffusion of the Internet, various 
digital contents including a computer file are actively 
distributed on a network. Moreover, with the spread of a 
broadband communication network (xDSL (x Digital Subscriber 
5 Line), CATV (Cable TV), a wireless network or the like), a 
mechanism capable of transmitting the distribution of digital 
data such as music data, image data or electronic publication 
and even rich contents such as a motion picture without giving 
any stresses to a user is now being arranged. 
10 On the other hand, the distributed contents are digital 

data, and therefore, an unauthorized operation such as copy 
or falsification can be relatively easy to perform. Moreover, 
a fraud such as the copy or the falsification of the contents 
is currently frequently committed, which is a main cause of 
15 hampering the interest of a digital-content vendor. As a 
result, a vicious cycle that the price of the contents must 
be increased to result in the hindrance of diffusion is 

generated. 

For example, recently, the technology of a computer, 
20 a network or the like is steadily spreading to general 
households . An information device such as a personal computer 
for home use or a PDA (Personal Digital Assistants) and, in 
addition, various information home appliances such as a 
television set and a video playback apparatus are 
25 interconnected via a home network. In many cases, such a home 
network is interconnected to an external broadband network 
including the Internet via a router. After the contents 
legitimately acquired from a server on the Internet are stored 
in a server on the home network (hereinafter, referred to as 
30 a "home server") , the contents are distributed via the home 
network to another in-home terminal (client) . 
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Under the copyright law, the contents as copyright work 
are protected against unauthorized use such as unauthorized 
copy or falsification. On the other hand, an authorized user 
is allowed to copy the contents for private use, that is, for 
5 personal use, family use or other similar uses within a limited 
circle (see Copyright Law of Japan, Article 30). 

If the scope of private use is applied to the 
above-described home network, the client terminal connected 
to the home network is supposed tobe within the scope of personal 

10 use or family use. Therefore, it is considered that it is 
appropriate for the client terminal on the home network to 
make free use of the legitimately acquired contents in the 
home server (it is apparent that the number of terminals which 
can enjoy the contents is required to be limited to a certain 

15 number) . 

With a current technique, however, it is difficult to 
identify whether a client terminal logging into the home 
network is within the scope of private use or not. 

For example, since the home network is interconnected 

20 to an external network via a router based on an IP protocol, 
the home server does not know where a client making access 
actually is. If the home server provides the contents to 
external (remote) access, the use of the contents is 
substantially unrestrained. Therefore, the copyright for the 

25 contents is almost unprotected. As a result, a content creator 
may lose the motivation of the creation. 

Furthermore, if the home server allows the client 
terminal in the home network to use the contents in the same 
manner, the same client terminal logs into a plurality of home 

30 networks at time intervals. As a result, it can use the 
contents almost unrestrictedly. 
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On the other hand, if strict restrictions are imposed 
on the client terminal, a user cannot ensure the private use 
fundamentally allowed by the copyright law. As a result, the 
user cannot satisfactory enjoy the contents. Accordingly 
5 since the use of a home server or a content-distribution service 
is not well promoted, the development of content business 
itself may be impeded. 

For example, in consideration of the fact that a user 
who legitimately purchases copyright work is allowed for free 

10 use of it, a method for more easily obtaining consent from 
an owner of the rights to the contents for the copy and the 
use of information on a network by the user has been proposed 
(see, for example, Japanese Patent Application Publication 
No. 2002-73861). However, this method classifies users 

15 depending on the level of relation with the owner of the rights 
to the use of information and distributes the information by 
a different distribution method for each level of the relation . 
This method does not identify the extent of the scope of private 
use on the network. 

20 Furthermore, as a protocol constituting the home network, 

for example, an UPnP (registered trademark) has recently been 
known. The UPnP allows easy network construction without any 
complicated operations and allows a content-providing service 
between network-connected devices without any difficult 

25 operations and setting. Moreover, the UPnP is advantageous 
in that it is not dependent on an operating system (OS) and 
the addition of a device is easy. 

In the UPnP, network-connected devices exchange a 
definition file described in an XML ( extended Markup Language ) 

30 format for mutual authentication. The outline of processing 
of the UPnP is as follows. 
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(1) Addressing process : its own device ID such as an IP address 
is acquired. 

(2) Discovery process: each device on a network is searched 
so as to acquire information such as device type or a function 

5 contained in a response received from each device. 

(3) Service request process: a request is made for a service 
to each device based on information acquired by the discovery 
process . 

By such a processing procedure, a service can be provided 

10 and received using network-connected devices. A device to 
be connected to the network acquires a device ID by the 
addressing process and acquires information for other devices 
on the network by the discovery process, thereby enabling a 
service request. 

15 The contents stored in the home server can be accessed 

from other devices on the home network. For example, the 
contents can be acquired by a device implementing the UPnP 
connection. If the contents are video data or audio data, 
a TV or a player is connected as a network-connected device 

20 so that a movie or music can be enjoyed. 

However, in the device within the home network, for 
example, in the home server, the contents requiring copyright 
management such as private contents or pay contents are stored. 
Therefore, it is necessary to consider the countermeasure 

25 against unauthorized access. 

It is natural that access from a device of a user having 
the rights to the use (a license) of the contents is allowed. 
However, in a home network environment interconnected to the 
external network via a home router, even a user without a license 

30 can get into the home network. 

In order to exclude unauthorized access, for example, 
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the home server is made to have a list of clients whose access 
is allowed so that collation with the list is executed each 
time access to the home server is requested from a client. 
In this way, unauthorized access can be excluded. 
5 For example, MAC address filtering is known, which uses 

a MAC (Media Access Control) address corresponding to a 
physical address unique to each communication apparatus to 
set it as an access-allowable device list . More specifically, 
a MAC address of each device whose access is allowed is 

10 registered on a router or a gateway for isolating the internal 
network such as the home network and the external network from 
each other. A MAC address assigned to a received packet and 
the registered MAC address are collated with each other. 
Access f roma device with an unregisteredMAC address is refused 

15 (see, for example, Japanese Patent Application Publication 
No. 10-271154) . 

In order to construct the access-allowable device list, 
however, it is necessary to check the MAC addresses of all 
the devices connected to the internal network. Moreover, 

20 efforts to input all the acquired MAC addresses so as to create 
a list are required. Furthermore, in the home network, a 
connected device is relatively frequently changed . Therefore, 
the access-allowable device list has to be modified for each 
such change. 

25 

Disclosure of -the Invention 

An object of the present invention is to provide 
preferable device-to-device authentication system, 
device-to-device authentication method, communication 
30 apparatus and computer program, which are capable of suitably 
managing the use of the contents on a home network connected 
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to an external network via a router. 

Another object of the present invention is to provide 
preferable device-to-device authentication system, 
device-to-device authentication method, communication 
5 apparatus and computer program, which are capable of suitably 
managing so that each client terminal on a home network uses 
the contents legitimately acquired on a home server within 
the scope of private use allowed by the copyright law. 

The present invention is devised in view of the above 

10 issues. A first aspect thereof is a device-to-device 
authentication system for authenticating a device on a home 
network connected to an external network via a router, 
characterized by including: path disconnection means for 
connecting and disconnecting a path between the external 

15 network and the home network; and local environment management 
means for making the path disconnection means operate to 
isolate the home network from the external network at timing 
ensuring communication between devices on the home network, 
thereby achieving local communication in the home network. 

20 However, a "system" herein means a logical assembly of 

aplurality of apparatuses (or functional modules for realizing 
a specific function) , and each apparatus or functional module 
may be or may not be present in a single box body. 

Herein, one of the devices is a home server for 

25 legitimately acquiring the contents from the external network 
via the router, whereas the other device is a client for making 
a request for the contents to the home server for use. After 
the confirmation of the presence of both the devices on the 
same home network, the home server provides the contents and/or 

30 issues a license for the contents to the client. 

Under the copyright law, the contents as copyright work 
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are protected against unauthorized use such as unauthorized 
copy or falsification. On the other hand, an authorized user 
is allowed to copy the contents for private use, that is, for 
personal use, family use or other similar uses in a limited 
5 circle. 

Two or more home servers can be installed on the home 
network. In such a case, since client terminals on the same 
home network is under a local environment, each home server 
registers them as members to form a group in an independent 

10 manner so as to distribute the contents and issue a license 
for the use of the contents. Furthermore, the client terminal 
can be registered as a member simultaneously on two or more 
home servers on the same home network to belong to a plurality 
of groups so as to acquire a license of the contents from each 

15 of the home servers. 

In this case, since the client terminal is also under 
a local environment for each of the home servers and therefore 
is supposed to correspond to the scope of personal use or family 
use, it is appropriate for it to make free use of the contents 

20 of each of the home serves in the local environment. 

On the other hand, even if the client terminal can be 
registered on a plurality of home server as a member at the 
same time, it should not be allowed to belong to a plurality 
of groups of home servers over a plurality of home networks 

25 at time intervals. This is because the connection to another 
home network is corresponding to the shift of the client 
terminal to a remote environment for the first connected home 
network or the connection to one home network is equivalent 
to the presence of the client terminal in a remote environment 

30 for the other home networks . 

Therefore, in the device-to-device authentication 
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system according to the present invention, a client can use 
the contents acquired from a plurality of home servers on the 
same home network. However, upon connection to a home server 
on an other home network, the client is not able to use the 
5 contents acquired from the home servers on the home networks 
other than currently connected. 

A current network protocol does not provide any 
mechanisms for identifying whether devices that are 
interconnected through a network can privately use the contents 

10 within the scope of authenticity, that is, personal or family 
use. Therefore, in the present invention, the path between 
the home network and the external network is temporarily 
disconnected so as to ensure that devices capable of 
communicating each other in this period are present on the 

15 same home network. 

According to the present invention, a control mechanism 
for disconnecting or connecting the path between the home 
network and the external network is provided for, for example, 
a home router. Then, at the timing at which the communication 

20 under a local environment must be ensured such as at the 
registration of a client terminal by the home server as a member , 
the provision of the contents and the issuance of a license 
thereof, the path between the home network and the external 
network is disconnected. As a result, the home server performs 

25 local communication, so that only the client terminal present 
under the local environment can use the contents stored on 
the home server. 

After the completion of the local communication on the 
home network, or after the elapse of a predetermined time from 

30 the start of local communication, it is suitable to reestablish 
the path between the home network and the external network. 
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A second aspect of the present invention is a computer 
program described in a computer-readable format so as to 
execute a process for authenticating a device on a home network 
connected to an external network via router on a computer system, 
5 characterized by including the steps of: acquiring timing for 
ensuring communication between devices on the home network; 
and temporarily disconnecting a path between the external 
network and the home network at the timing so as to isolate 
the home network from the external network. 

10 The computer program according to the second aspect of 

the present invention defines a computer program described 
in a computer-readable format so as to realize a predetermined 
process on a computer system. In other words, the computer 
program according to the second aspect of the present invention 

15 is installed on a computer system, so that a cooperative 
function is demonstrated on the computer system. As a result, 
the same effects as those of the device-to-device 
authentication system according to the first aspect of the 
present invention can be obtained. 

20 The other ob j ect s , features and advantages of the present 

invention will be apparent from the detailed description based 
on the following embodiments of the present invention and the 
accompanying drawings . 

25 Brief Description of Drawings 

Fig. 1 is a diagram schematically showing a basic 
structure of a home network; 

Fig. 2 is a diagram showing an exemplary structure of 
a home network on which two home servers are present; 
30 Fig . 3 is a diagram showing a state where a client terminal 

is connected to a plurality of home networks; 
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Fig. 4 is a diagram schematically showing a structure 
of a home network according to one embodiment of the present 
invention; 

Fig. 5 is a diagram schematically showing a structure 
5 of a home network according to another embodiment of the present 
invention; 

Fig. 6 is a diagram schematically showing a hardware 
structure of a host apparatus connected to the home network 
as a server, a client or the like; 
10 Fig. 7 is a diagram showing an internal structure of 

a home router 40 for connecting a home network and an external 
network to each other; 

Fig. 8 is a diagram showing another embodiment example 
of an internal structure of the home router 40 for connecting 
15 the home network and the external network to each other; and 

Fig. 9 is an operation sequence diagram showing a 
processing procedure for disconnecting a path between the home 
network and the external network by the home router 40. 

20 Best Mode for Carrying Out the Invention 

Hereinafter, embodiments of the present invention will 
be described in detail with reference to the drawings. 

Under the copyright law, the contents as copyright work 
are protected against unauthorized use such as unauthorized 
25 copy or falsification. On the other hand, an authorized user 
is allowed to copy the contents for private use, that is, for 
personal use, family use or other similar uses in a limited 
circle (see Copyright Law of Japan, Article 30) . 

Assuming that a client terminal in a home network 
30 (hereinafter, also referred to as a "local environment") falls 
within the scope of private use, the inventors of the present 
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invention propose a system in which only a client under the 
local environment can uses the contents stored on a home server . 

Herein, the definition of the local environment will 
be described. 

5 Fig. 1 schematically shows a basic structure of a home 

network. As shown in the drawing, a home network installed 
in home is connected to an external network such as the Internet 
via a home router. 

On the home network, a home server and at least one client 

10 terminal are present. The home server legitimately acquires 
and stores the contents from a content server on the external 
network via the home router to distribute the contents in home . 
It is apparent that the home server can acquire the contents 
by means other than the network, such as a package media or 

15 broadcast reception. Each client terminal makes a request 
for desired contents to the home server so as to acquire them 
for use. 

The client terminals connected to the home network are 
present under the local environment, and it is supposed that 

20 they are within the scope of personal or family use . Therefore, 
it is considered that it is appropriate for the client terminals 
on the home network tomake free use of the contents legitimately 
acquired on the home server. 

Accordingly, the home server registers the client 

25 terminals under the local environment as members and issues 
a license for the contents distribution and the use of the 
contents . It is apparent that the number of terminals capable 
of enjoying the contents is required to be limited to a certain 
number . 

30 Under the local environment, the client terminal 

acquires the contents from the home server, uses the contents 
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such as for copy or streaming and can also take the contents 
out of the local environment (into a remote environment) for 
use . 

On the other hand, a client terminal that is not present 
5 on the home network, that is, in a remote environment, is not 

considered to be within the scope of personal or family use. 

If the client terminal in the remote environment is allowed 

to use the contents, the use of the contents is substantially 

unrestrained. As a result, the copyright for the contents 
10 is almost unprotected. Therefore, the home server neither 

registers the client in the remote environment as a member 

nor issues a license of the contents. 

In the example shown in Fig. 1, only one home server 

is present on the home network. However, it is apparent that 
15 two or more home servers may be installed on the same home 

server so that each of the home servers independently provides 

a distribution service of the contents in the home network. 

Fig. 2 shows an exemplary structure of the home network 

on which two home servers are present. 
20 In this case, since client terminals on the same home 

network are under a local environment, each of the home servers 

registers them as members to form a group so as to distribute 

the contents and to issue a license for the use of the contents . 

The client terminal acquires the contents from the home server, 
25 uses the contents such as for copy or streaming and can also 

take the contents out of the local environment (into a remote 

environment) for use. 

Furthermore, the client terminal can be registered 

simultaneously on two or more home servers on the same home 
30 network as members to belong to a plurality of groups and can 

acquire a license of the contents from each of the home servers . 
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In this case, the client terminal is also present under the 
local environment for the respective home servers and therefore 
it is supposed that it is within the scope of personal or family 
use. Therefore, it is considered that it is appropriate for 
5 the client to make free use of the contents of each of the 
home servers in the local environment. 

On the other hand, even if the client terminal can be 
registered on a plurality of home server as a member at the 
same time, it should not be allowed to belong to a plurality 

10 of groups of home servers over a plurality of home networks 
(see Fig. 3) . This is because the connection to another home 
network is corresponding to a shift of the client terminal 
to a remote environment for the first connected home network 
or the connection to one home network is equivalent to the 

15 presence of the client terminal in a remote environment for 
the other home networks. The local environment is within the 
personal or family scope, whereas the remote environment 
departs from the personal or family scope. 

It is technically possible for the client terminal to 

20 be connected to a plurality of home networks at time intervals . 
However, if the use of the contents is successively allowed 
with the connection, the use of the contents is substantially 
unrestrained. As a result, the copyright for the contents 
is almost unprotected. 

25 Summarizing the above, in order to realize a local 

environment that is supposed to be within the scope of personal 
or family use on the home network, the f ollowings are derived 
as necessary conditions. 

(1) The home server does not allow member registration from 
30 outside of the home network; and 

(2) When two or more home servers are present in the same home 
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network, member registration and group management are 
performed for each of the home servers. Each of the clients 
on the home network canbe registered on two or more home servers . 
However, the home servers simultaneously accepting the 
5 registration must be present in the same home network. 

In order to realize such a local environment, a mechanism 
for identifying whether the home server and the client terminal 
are present on the same home network or not is required between 
them. 

10 A current networkprotocol does not provide any mechanism 

for identifying a network, such as a home network, by segment. 
Therefore, the inventors of the present invention propose a 
method of providing a function of isolating the home network 
from the external network for a router or a gateway, which 

15 are interposed between the home network and the external 
network, so as to isolate or disconnect the home network from 
the external network when, for example, the home server 
registers a client as a member or provides the contents or 
issues a license thereof, thereby ensuring a client making 

20 a request is present in the same local environment as that 
of the home server. 

Fig. 4 schematically shows a structure of a home network 
according to an embodiment of the present invention. 

A home network installed in home is connected to a WAN 

25 such as the Internet or another LAN via a home router. The 
home router is set as a default Gateway of the home network . 

The home network is constituted by, for example, 
connecting a LAN cable of a host apparatus such as a home server 
or a client terminal to a hub (concentrator) . 

30 The host apparatuses on the home network, such as the 

home server, the client terminal and the home router, and a 
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host apparatus on the external network have MAC addresses, 
each being unique to a device. The host apparatus transmits 
and receives a packet including header information containing 
a destination MAC address and a source MAC address , for example, 
5 an Ethernet (registered trademark) frame via the network. 

The host apparatuses on the home network, such as the 
home server and the client terminal, are constituted as, for 
example, UPnP-compatible devices . In this case, the addition 
and the deletion of a connected device to/from the network 
10 are easy. A device to be connected to the network can enjoy 
service on the home network such as the use of the contents 
in accordance with the following procedure. 
( 1 ) Addressing process : its own device ID such as an IP address 
is acquired. 

15 (2) Discovery process: each device on a network is searched 
so as to acquire information such as device type or a function 
contained in a response received from each device. 
(3) Service request process: A request for a service is made 
to each device based on information acquired by the discovery 

20 process. 

On the home network, a local environment that is supposed 
to be within the scope of personal or family use is formed. 
Therefore, the home server legitimately acquires and stores 
the contents from a content server on the external network 

25 via the home router to distribute the contents in home. Each 
of the client terminals is allowed to make a request for desired 
contents to the home server so as to acquire them for use. 

Under the local environment, the client terminal 
acquires the contents from the home server to use the contents 

30 for copy or streaming. Furthermore, it can take the contents 
out of the local environment (into the remote environment) 
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for use. 

Fig. 5 schematically shows a structure of a home network 
according to another embodiment of the present invention. 

The home network is connected to a WAN such as the Internet 
5 or another LAN via a home router. In this case, the home router 
is also set as a default Gateway of the home network. 

This differs from Fig. 4 in that two home servers are 
present on the home network. The respective home servers may 
be simultaneously present on the home network or may be 
10 connected at a time interval. 

In this case, since the client terminals on the same 
home network are under the local environment, each of the home 
servers registers them as members to form a group so as to 
distribute the contents and to issue a license for the use 
15 of the contents. The client terminal acquires the contents 
from the home server, uses the contents such as for copy or 
streaming and can also take the contents out of the local 
environment (into a remote environment ) for use. Furthermore, 
the client terminal can be registered simultaneously on two 
20 or more home servers on the same home network as members to 
belong to a plurality of groups so as to acquire a license 
of the contents from each of the home servers . 

Fig. 6 schematically shows a hardware structure of a 
host apparatus connected to the home network as a server, a 
25 client or the like. 

The system is constructed mainly of a processor 10 . The 
processor executes various processes based on a program stored 
in a memory. The processor controls various peripheral 
devices connected through a bus 30. The peripheral devices 
30 connected to the bus 30 are as follows. 

A memory 2 0 is constituted of a semiconductor memory, 
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for example, a DRAM (Dynamic RAM) or the like and is used to 
load a program code executed in the processor 10 or to 
temporarily store operation data of an execution program. 

A display controller 21 generates a display image in 
5 accordance with a draw command sent from the processor 10 and 
transmits it to a display apparatus 22 . The display apparatus 
22 connected to the display controller displays and outputs 
the image on a screen in accordance with display image 
information transmitted from the display controller 21. 
10 An input /output interface 23, to which a keyboard 2 4 

and a mouse 25 are connected, transfers an input signal from 
the keyboard 24 or the mouse 25 to the processor 10 via the 
bus 30. 

A network interface 2 6 is connected to the home network 

15 (hub) and is further connected to the external network such 
as the Internet via the home router 40, and controls data 
communication through the Internet. Specifically, it 
transfers data transmitted from the processor 10 to another 
apparatus on the Internet and receives data transmitted through 

20 the Internet so as to pass it to the processor 10. 

A hard disk drive (HDD) controller 27, to which a 
high-capacity external storage apparatus 28 such as an HDD 
is connected, controls the input and output of data to the 
HDD- 28 to which the HDD controller 27 is connected. The HDD 

25 28 stores a program of an operating system (OS), an application 
program, a driver program and the like to be executed by the 
processor. The application program is, for example, a server 
application for authenticating each client terminal on the 
home network as the home server or for providing the contents 

30 or issuing a license, a client application for use of the 
contents such as for reproduction of the contents provided 
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by the server or the like, and the like. 

In order to constitute the host apparatus, a large number 
of electric circuits or the like are required in addition to 
those illustrated in Fig. 6. However, since they are known 
5 to those skilled in the art and do not constitute the gist 
of the present invention, they are omitted in this 
specification. Moreover, it should be understood that each 
connection between hardware blocks in the drawing is only 
partially illustrated in order to avoid the complication of 

10 the drawing. 

Fig. 7 shows an internal structure of the home router 
40 for connecting the home network and the external network 
to each other. A LAN communication section 41 corresponds 
to a transmission/reception function for performing 

15 communication with the home server. A disconnector 42 is a 
functional module for isolating or disconnecting the home 
network from the external network such as a WAN. A control 
section 43 controls the communication through the LAN 
communication section 41 so as to implement the authentication 

20 with the home server , to exchange a control message, to control 
the disconnector 42 and the like. A storage section 44 stores 
an operation program of the control section 43 and data 
necessary for it, key information for authentication and the 
like . 

25 Fig. 8 shows another embodiment of the home router 40. 

In a structure shown in the drawing, the WAN communication 
section 45 allows the home router 40 to communicate with the 
external network even after the external network and the home 
network are separated from each other by the disconnector 42. 

30 In this case, for example, by monitoring if there is another 
apparatus communicating with the external network, directing 
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the path disconnection to another apparatus, for example, 
another modem from the external network, confirming that the 
communication is disconnected in accordance with the direction 
through actual access to a predetermined server on the external 
5 network by using the WAN communication section 45, the 
realization of the disconnection is further ensured. 

Fig. 9 shows a processing procedure for disconnecting 
the path between the home network and the external network 
by the home router 40. 

10 The home server must ensure that the client terminal 

is present in the local environment, that is, on the same home 
network at the step of registering the client terminal as a 
member of a group in the home network or the step of providing 
the contents only available for private use or a license thereof 

15 for the client terminal. 

At the step at which local communication is required 
as described above, the home server requests the home router 
40 to disconnect the path to the external network. 

Prior to the path disconnection, the authentication may 

20 be executed so as to confirm that the home router 40 is a valid 
device working as required. However, as a general 
UPnP-compatible router, some routers can control the 
disconnection but do not have the authenticating function. 
Therefore, the authentication is not indispensable. 

25 For the authentication, for example, general 

challenge-response authentication or the like is used. In 
this case, a random number is transmitted from the home server 
to the home router 40. In response to it, the home router 
40 hashes a secret key shared with the home server in association 

30 with the random number so as to return it to the home server. 
The home server obtains an expected value which should be 
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returned from the home router 4 0 in the same method. If the 
concordance is confirmed, it is determined that the 
authentication is successful. Besides such a shared secret 
key-based method, there is a public key-based method of 
5 encrypting it by a secret key of the home router 40 to return 
it. 

After the successful authentication, the home server 
directs the home router 40 to disconnect the path. In this 
manner, while the home network is being isolated or 

10 disconnected from the external network, the home server perform 
local communication such as registration of the client terminal 
as a member of a group in the home network or provision of 
the contents only available for private use or a license thereof 
for the client terminal. 

15 The client terminal can be registered as a member or 

provided with the contents or a license thereof only in the 
case where it is present in the same local environment as that 
of the home server, thereby preventing spoofing from the 
external network. The use of the contents is allowed between 

20 the devices only in the local environment, so that unauthorized 

n 

distribution of the contents can be effectively restrained. 

Thereafter, the home server directs the home router to 
reestablish the path so as to reactivate the path disconnected 
between the home network and the external network. 

25 However, it is not necessary to disconnect the home 

network from the external network during the local 
communication . For example, the isolation of the home network 
from the external network for a predetermined period of time 
after the start of the local communication can ensure that 

30 the client terminal is present in the local environment. 
Therefore, the path between the home network and the external 



22 



network may be reestablished, not by the home router 40 in 
response to a direction (command) from the home server but 
in an autonomic way after elapse of a predetermined period 
of time from the path disconnection. 
5 For the above-described control after the successful 

authentication, there is a method of allowing a key to be shared 
throughout the authentication so as to protect the controlled 
communication by the key in order to prevent spoofing by the 
third party- For example, the above-described result of 

10 hashing is divided into a part used for authentication and 
a part used as a key. The key is used for hashing of a message 
of the controlled communication. Then, the result of hashing 
is transmitted with a control message, thereby allowing 
validity check of the message in the apparatus receiving them 

15 by the same hashing process. 

In an example of an operation sequence shown in Fig. 
9, the home router 40 executes the disconnection of the path 
between the home network and the external network in response 
to an explicit direction (a command addressed to itself) from 

20 the home server . However, the home router 40 may be configured 
so as to autonomically disconnect the path. For example, the 
home router 40 constantly monitors the operation on the home 
network (that is, a transfer command on the network) through 
the LAN communication section 41, and detects the timing for 

25 performing local communication such as the registration of 
a client terminal by the home server as a member of a group 
in the home network or the provision of the contents available 
only for private use or a license thereof for the client terminal . 
At such timing, it autonomically activates a disconnecting 

30 operation of the path. In this case, it is apparent that the 
home router 40 may be configured to autonomically reestablish 
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the path. 
Supplement 

The present invention has been described in detail above 
5 with reference to specific embodiments. However, it is 
obvious that those skilled in the art can modify or substitute 
the embodiments without departing from the gist of the present 
invention. Specif ically, the present invention is disclosed 
only by way of example, and therefore the description of the 
10 specification should not be read as limitative. In order to 
determine the gist of the present invention, the claims should 
be taken into consideration. 

Industrial Applicability 

15 According to the present invention, preferable 

device-to-device authentication system, device-to-device 
authentication method, communication apparatus and computer 
program, which are capable of suitably managing the use of 
the contents on a home network connected to an external network 

20 via a router, can be provided. 

Moreover, according to the present invention, 
preferable device-to-device authentication system, 
device-to-device authentication method, communication 
apparatus and computer program, which are capable of suitably 

25 managing so that each client terminal on a home network uses 
the contents legitimately acquired on a home server within 
the scope of private use allowed by the copyright law, can 
be provided. 

According to the present invention, the use of the 
30 contents is allowed between devices only in a local environment, 
so that the unauthorized distribution of the contents can be 



effectively restrained. 



